Closed Bug 1474067 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 11838 - Un-deprecated 'child-src'

Categories

(Core :: DOM: Security, enhancement, P4)

enhancement

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 11838 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/11838
Details from upstream follow.

Andy Paicu <andypaicu@chromium.org> wrote:
>  Un-deprecated 'child-src'
>  
>  'child-src' is now part of the fallback chain for 'worker-src'.
>  This means that if 'child-src' always takes precedence over 'script-src'
>  when checking worker requests.
>  Added extra tests to ensure that a worker request blocked by
>  'child-src' and allowed by 'script-src' is blocked.
>  
>  Removed previous logic that considered 'script-src' to be the
>  fallback for 'worker-src' and amended tests. Removed "temporary"
>  logic put in place to not brake "child-src" using sites.
>  
>  Refactored the OperativeDirective logic to ensure that the caller
>  does not need to be aware of precise fallback chain of the directive,
>  otherwise the way to get the 'worker-src' operative directive would be:
>  
>  OperativeDirective(worker_src_.Get(),
>        OperativeDirective(child_src_.Get(),
>            OperativeDirective(script_src_.Get())));
>  
>  To be submitted with the spec PR as it includes tests.
>  Spec: https://github.com/w3c/webappsec-csp/pull/313
>  
>  Bug: 669496
>  Change-Id: I7ca9552df1d0ce203a604b0e469a268f6b112e49
>  
>  Reviewed-on: https://chromium-review.googlesource.com/1128087
>  WPT-Export-Revision: e0cb359cb9cf659e6ea04915c0afcb5a11b9c866
Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Ran 15 tests and 15 subtests
OK     : 15
PASS   : 12
FAIL   : 3

New tests that have failures or other problems:
/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html
    Same-origin dedicated worker allowed by worker-src 'self'.: FAIL
/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html
    Same-origin service worker allowed by child-src 'self'.: FAIL
/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html
    Same-origin shared worker allowed by child-src 'self'.: FAIL
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/80e0f5033581
[wpt PR 11838] - Un-deprecated 'child-src', a=testonly
https://hg.mozilla.org/integration/mozilla-inbound/rev/6b1a0510aa8f
[wpt PR 11838] - Update wpt metadata, a=testonly
https://hg.mozilla.org/mozilla-central/rev/80e0f5033581
https://hg.mozilla.org/mozilla-central/rev/6b1a0510aa8f
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.